Rails - Work Around Authenticity Token

StackOverflow https://stackoverflow.com/questions/17801568

Question

I have an interesting challenge to solve on an old Rails 2.0.2 application (in the process of being updated to Rails 4 but I can't wait that long to solve this problem). The problem is this: we're about to distribute offline content that is meant to ultimately bring the user online to our website. In the transition from offline to online there is a form they fill out offline but that we want to be able to post the data to the online version of the form without the user having to fill the same form out twice. The problem I'm seeing is how to deal with the the Authenticity Token that changes in the online version. Anyone have any suggestions on how we can work around this. I understand the purpose of the Authenticity Token is to prevent what I'm trying to do but can I work around it, for example, by somehow prefilling the online version with the data from the offline version? I don't think I can reproduce a currently working authenticity token/session pair unless I can somehow write the same session_id to a cookie of the online form's domain? Or maybe I have to address it server-side? I was trying to avoid having custom code server-side just for this issue... Thanks ahead of time for any responses.

Was it helpful?

Solution

Instead of POSTing to the online form, GET the online form and prepopulate the fields using a query string.

For example, an offline form with first and last names will, when submitted, perform a GET request like this:

mysite.com/offline_form/new?first_name=Dick&last_name=Steele

This URL will render a live new form, complete with a valid CSRF token. Use the query string to populate the input fields. Query string can be accessed via params[].

form_for :online do |f|
  f.text_field :first_name, value: params[:first_name]
  f.text_field :last_name, value: params[:last_name]
  # ...
end

This way, your users can submit a live CSRF-tokenized form without having to fill out a second form. At minimum, your users will have to click two submit buttons. You can present the online version of the form as a confirmation step.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top